How to connect GSA Internet access to Sophos firewall via site to site VPN for consistent egress IP
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 13%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EW%3C/text%3E%3C/svg%3E)
William
0
Reputation points
We’ve set up Microsoft Entra Global Secure Access (Internet Access) with a Remote Network and are trying to bring up a site‑to‑site IPsec (route‑based, IKEv2) tunnel from our in‑office Sophos firewall so branch Internet traffic goes through GSA but still presents a single, consistent static egress IP for SaaS apps that use IP allow‑lists. The tunnel/handshake on Sophos is the sticking point (matching GSA defaults: AES‑GCM, DH group 24, PFS none; then BGP over the xfrm interface). What we need: proven Sophos settings or a Microsoft‑supported pattern that keeps SaaS seeing our office static IP. What we don’t want: deploying Private Access connectors/VMs for anchoring, or asking the SaaS vendor to whitelist Microsoft GSA egress IP ranges. Any precise guidance or examples to complete the handshake and preserve static‑IP egress under these constraints would be greatly appreciated.
Microsoft Security | Microsoft Entra | Microsoft Entra Internet Access
Sign in to answer